March Madness: A Slam Dunk for Hackers

Slack AliceSlogger, Infosecurity Magazine

March Madness brackets are about to be set this weekend, and over the course of the next four weeks more than 11 million viewers will tune in to watch the annual college basketball tournament. It’s a favorite of Vegas bookies and b-ball fans alike—but perhaps we should rename it March Hackness.

March Madness is a time for alliteration (Selection Sunday, Sweet Sixteen, Final Four)—but mostly, it’s a time for betting. It is widely common for friends, coworkers, family and pretty much everyone to want a piece of the action. In fact, Grandma might be wagering on which universities and colleges will have teams selected to be a part of the 68-team field as we speak. It’s shocking—simply shocking—what happens to otherwise upstanding citizens during this time of year. It’s In all, Americans are expected to front up $9.2 million in bets around the tournament.

True to the digital age we live in, most of these frenzied sports bettors will be turning to online sources to help them in their efforts—either to partake in online betting or to swap information that could be used to evaluate where to place those bets. It’s a tradition as timeworn as cement shoes in Mob-land and the exponential and baffling proliferation of baseball fans in October.

But there’s trouble, folks, right here in River City.

“Do fans actually know who is emailing them bracket information? Do they know the organization hosting the webpage where they submit their bet?” intoned Wombat Security, in an email imbued with dark warning. “Hackers are aware of this and use large events such as March Madness to their advantage by producing phishing emails and creating targeted advertisements aimed at obtaining your information.”

It added, “Hackers can use the hype to target millions on fans through online advertisements made to look like legitimate sites for bracket creation and betting. Others use phishing to get you to willing submit valuable information. Now they have your credit card information and a slice of the Americans are expected to wager on March Madness this year.”

What makes things even more intriguing to hackers is the fact that it’s the only major sporting event in the US that traditionally falls during our business day. So, even those who participate in viewing and playing in the innocuous-seeming office pools, are susceptible to a variety of security threats.

A few things to watch out for, whether you have a chunk of change just sitting there in your bank account waiting for its field-goal attempt, or if you’re just a super-fan, include rogue March Madness apps that promise score and bracket updates but also deliver advertising and malware; drive-by and download and install malware infections from March Madness-related sites, both legitimate and spoofed; phishing attacks targeting users following their March Madness brackets on popular sites such as ESPN, CBS Sports and Yahoo; malware masquerading as video players that will allow the user to stream the games; links posted in forums, comments and social media that promise March Madness info or streams, but only direct the user to an infected site; and a large influx of fake betting sites used to grift the credit card info of unsuspecting users.

“First and foremost, you should avoid emailed requests to participate in polls, surveys and contests related to March Madness, unless you know you explicitly signed up to be a part of such things from a known, and reputable, website," said Nathan Wenzler, chief security strategist at AsTech, a San Francisco-based security consulting company. "Unsolicited requests to sign up and provide information may be efforts to steal your personal information. Also, never click on links or attachments in an email. If you're partaking in a tournament bracket or a fantasy league, enter the site into your browser directly. Phishing emails may ultimately forward you on to the right site, but they can easily hijack the session to point you to other sites that download ransomware or malware to your system before they forward you along. Finally, never share any personal information such as passwords, account numbers, answers to personal verification questions or any other data that can be used to identify you. If you're not sure whether an email is legitimate or not, the best thing that you can do is ask. Legitimate businesses have ways to authenticate emails from their site through their web sites and/or support teams.”